The RBI noted, "No specific factor was mandated for authentication, but the
The draft discusses the Additional Factor of Authentication (AFA), which involves using more than one factor to authenticate a payment instruction. It requires that the process validate and confirm the credentials of the customer initiating the payment.
Furthermore, the draft specifies that issuers must obtain explicit consent from customers before enabling any new authentication factor. Customers should also have the option to deregister from using the new authentication method.
The draft states, "All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused."
Additionally, the draft mandates that issuers must have a system to alert customers in near real-time for all eligible digital payment transactions. It also prohibits transaction issuers from entering into exclusive arrangements with any Payment Service Provider or Technology Service Provider, which could limit their ability to implement alternative authentication solutions.
RBI has proposed
The banking regulator also suggests that issuer shall be liable for the process and technology deployed for authenticating digital payments. There should also be a system of alerting the customer in near real time for all digital payment transactions.
The draft notes that small value card present transactions up to Rs 5000 per transaction in contactless mode at Point of Sale (PoS) terminals are exempt from the AFA requirement.
The central bank has invited comments and feedback on the draft framework until September 15, 2024. The proposed alternative authentication mechanisms aim to provide more choices for authentication factors to Payment System Operators and users.